<!DOCTYPE html>
<title>
  crossorigin= attribute and credentials in WebBundle subresource loading
</title>
<link
  rel="help"
  href="https://github.com/WICG/webpackage/blob/master/explainers/subresource-loading.md"
/>
<link
  rel="help"
  href="https://html.spec.whatwg.org/multipage/#cors-settings-attribute"
/>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="../resources/test-helpers.js"></script>
<body>
  <script>
    // In this wpt, we only test request's credential mode, which controls
    // whether UA sends a credential or not.
    // We assume that a <link> element fires a load event correctly if
    // check-cookie-and-return-bundle.py returns a valid format webbundle. That
    // happens only when UA sends a credential. We don't care of the contents of
    // a bundle. That's out of scope of this wpt.

    // See subresoruce-loading-cors{-error}.tentative.html, where we test subresource
    // loading with crossorigin= attribute, in terms of request's mode (cors or no-cors).

    document.cookie = "milk=1";

    // Make sure to set a cookie for a cross-origin domain from where a cross
    // origin bundle is served.
    const setCookiePromise = fetch(
      "https://{{domains[www1]}}:{{ports[https][0]}}/cookies/resources/set-cookie.py?name=milk&path=/web-bundle/subresource-loading/",
      {
        mode: "no-cors",
        credentials: "include",
      }
    );

    const same_origin_bundle = "./check-cookie-and-return-bundle.py";
    const cross_origin_bundle = "https://{{domains[www1]}}:{{ports[https][0]}}/web-bundle/subresource-loading/check-cookie-and-return-bundle.py";

    promise_test(async () => {
      const link = document.createElement("link");
      link.rel = "webbundle";
      link.href = same_origin_bundle;
      await addElementAndWaitForLoad(link);
      link.remove()
    }, "'no crossorigin attribute' should send a credential to a same origin bundle");

    promise_test(async () => {
      await setCookiePromise;
      const link = document.createElement("link");
      link.rel = "webbundle";
      link.href = cross_origin_bundle;
      await addElementAndWaitForError(link);
      link.remove()
    }, "'no crossorigin attribute' should not send a credential to a cross origin bundle");

    promise_test(async () => {
      const link = document.createElement("link");
      link.rel = "webbundle";
      link.href = same_origin_bundle;
      link.crossOrigin = "anonymous";
      await addElementAndWaitForLoad(link);
      link.remove()
    }, "'anonymous' should send a credential to a same origin bundle");

    promise_test(async () => {
      await setCookiePromise;
      const link = document.createElement("link");
      link.rel = "webbundle";
      link.href = cross_origin_bundle;
      link.crossOrigin = "anonymous";
      await addElementAndWaitForError(link);
      link.remove()
    }, "'anonymous' should not send a credential to a cross origin bundle");

    promise_test(async () => {
      const link = document.createElement("link");
      link.rel = "webbundle";
      link.href = same_origin_bundle;
      link.crossOrigin = "use-credentials";
      await addElementAndWaitForLoad(link);
      link.remove()
    }, "'use-credentials' should send a credential to a same origin bundle");

    promise_test(async () => {
      await setCookiePromise;
      const link = document.createElement("link");
      link.rel = "webbundle";
      link.href = cross_origin_bundle;
      link.crossOrigin = "use-credentials";
      await addElementAndWaitForLoad(link);
      link.remove()
    }, "'use-credentials' should send a credential to a cross origin bundle");
  </script>
</body>
